In database security, it is a known problem to avoid attacks from persons who have access to a valid user-ID and password. Such persons cannot be denied access by the normal access control system, as they are in fact entitled to access to a certain extent. Such persons can be tempted to access improper amounts of data, by-passing the security. Several solutions to such problems have been suggested and are discussed below.
I. Network-Based Detection
Network intrusion monitors are attached to a packet-filtering router or packet sniffer to detect suspicious behavior on a network during the suspicious behavior. The router or sniffer looks for signs that: a network is being investigated for attack with a port scanner; users are falling victim to known traps like url or .lnk; or the network is actually under an attack such as through SYN flooding or unauthorized attempts to gain root access (among other types of attacks). Based on user specifications, these monitors can then record the session and alert the administrator or, in some cases, reset the connection. Some examples of such tools include NetRanger and Cisco Secure Intrusion Detection System available from Cisco Corporation of San Jose, California and RealSecure® available from Internet Security Systems, Inc. (ISS) of Atlanta, Georgia as well as some public domain products like Klaxon, available at ftp://ftp.eng.auburn.edu/pub/doug/, that focus on a narrower set of attacks.
II. Server-Based Detection
Server-based detection tools analyze log, configuration and data files from individual servers as attacks occur, typically by placing some type of agent on the server and having the agent report to a central console. An example of these tools public domain tools that perform a much narrower set of functions is Tripwire®, available at http://sourceforge.net/projects/tripwire/, which checks data integrity. Tripwire® will detect any modifications made to operating systems or user files and send alerts to ISS's RealSecure® product. The RealSecure® product will then conduct another set of security checks to monitor and combat any intrusions.
III. Security Query and Reporting Tools
Security query and reporting tools query network operating system (NOS) logs and other related logs for security events and/or glean logs for security trend data. Accordingly, these tools do not operate in real-time and rely on users providing the right questions of the right systems. For a typical example, a query might be how many failed authentication attempts have occurred on certain NT servers in the past two weeks.
IV. Inference Detection
A variation of conventional intrusion detection is detection of specific patterns of information access known as inference detection. Inference detection is deemed to signify that an intrusion is taking place, even though the user is authorized to access the information. A method for such inference detection, i.e., a pattern oriented intrusion detection, is disclosed in U.S. Pat. No. 5,278,901 to Shieh et al., which is incorporated herein by reference.
None of these solutions are however entirely satisfactory. A primary drawback is that each solution concentrates on already effected queries, providing at best an information that an attack has occurred.
Moreover, the above solutions presume a networked environment. While, such environments are becoming increasingly ubiquitous, numerous situations still exist where access to sensitive data must be regulated without persistent and/or frequent access to networked security devices. For example, employees may need access to databases while traveling and without network access. While the replication of a database to a laptop is easily accomplished, protection of the data is critical, as demonstrated by recent well-publicized security breaches involving lost or stolen laptops.
Furthermore, reliance on networked security devices introduces a point of failure, which may unacceptable in some situations. For example, while a retail store's cash registers may be networked, the cash registers should still be able to operate and access resources such as customer databases in the event of a network disruption.
Finally, it may be desirable to distribute intrusion detection analysis to the client level for greater performance.